In a rapidly changing threat landscape, organizations in the life sciences and health care industry are leveraging machine learning and AI to bolster their cyber threat detection amid a shortage of skilled professionals.
“What we’re seeing today is an ever-accelerating threat landscape,” says Keith Brogan, a managing director with Deloitte & Touche LLP. “The threats are changing at a pace where it is hard—if not impossible—to keep pace with them.”
Speaking during a podcast interview, Brogan explains that a shortage of skilled labor and increased outsourcing of non-core tasks and functions to third parties is contributing to an exponential increase in the challenges and risks these organizations often face.
One way to accelerate the pace of threat detection is by moving from looking for patterns of activity to looking for patterns of behavior, says Brogan.
“It may sound the same, but there is a very subtle difference,” he says. “We start to look for the behaviors we can expect from threat actors. Machine learning and AI are helping organizations start to get better at that.”
Organizations may benefit from shifting their operating models from a reactive approach to a more proactive one. Instead of solely looking for prescriptive signs of brute force attempts, they might consider the possibility of threat actors already having some knowledge of the organization and its employees, such as passwords from breached third-party vaults. Focusing on behavioral patterns, such as usual login times and locations, can help organizations detect anomalies.
“Organizations need to understand the behaviors of threat actors and how they play out across their specific environment,” Brogan says. If organizations can enhance their understanding of bad actors’ behaviors, they can then incorporate that knowledge into their security operations and third-party risk management strategies.
Challenging the Status Quo
Within the life sciences and health care industry, there is an increasing reliance on third parties to support critical business processes, which can greatly raise the risk of operational disruption if any of the third parties engaged by an organization were to have a cyber incident, observes Steph Meehan, a partner with Deloitte & Touche LLP, who joined Brogan on the podcast.
“Third-party risk management programs should shift their focus from a compliance perspective to one that’s more proactive in managing operational risk and mitigating or reducing the risk of disruption to key operations,” Meehan says.
Meehan is also seeing an uptick in “assessment fatigue” from her clients’ internal business partners who seem to be growing frustrated with long cycle times needed to perform third-party risk assessments and who seem disillusioned with “check-the-box” focus of some third-party risk management programs.
“The focus should shift from that compliance-driven approach to operational resiliency,” she says.
Historically, when an organization decides to engage a third party, they carry out an initial inherent risk assessment, perform due diligence, and then file the assessment away and revisit it infrequently, if at all, Meehan explains.
“Today, organizations should consider having a feedback loop into their third-party risk management program,” she observes. This would include analyzing past incidents and issues with third parties, reassessing the initial risk assessment and due diligence process, and determining if changes are needed in the preliminary risk management approach.
Organizations should also consider how to supplement third-party risk management with external data; how to monetize the program; and how to incorporate machine learning and natural language processing to not only make the assessment process more efficient, but also to provide near-real-time monitoring to identify and respond to third-party incidents.
Given the staffing shortages in the life sciences and health care industry, leaning into these technologies may help organizations do more with less. For example, natural language models could be used to ingest and validate third-party control assessments and reports with the aim of reducing the time required to review a vendor security questionnaire. This could enable redeployment of resources to support additional continuous monitoring or risk mitigation.
“In some instances, this is either not being done, or it’s being done in a manual capacity with full time employees that many organizations struggle to retain,” Meehan adds. “Being able to incorporate some of these advanced technologies should enable organizations to enhance their programs, while maintaining a steady headcount.”
Improving Data Management
Advanced technologies can also help organizations better handle the vast amounts of data generated from security operations.
“Traditionally, handling that massive amount of data was a challenge due to limited system capacities,” Brogan explains. “However, many businesses now have the capacity to process larger amounts of data—however, the challenge lies in effectively managing and utilizing it.”
With the advent of new data storage, ingestion, and analytics tools that can be paired with security orchestration automation response (SOAR) systems and ticketing systems, analysts can be notified of an event that needs investigation. Needed context, such as where the system is, what kind of data is on the system, who the user is, and what the user does for the enterprise, can be built in so that analysts don’t need to spend time tracking it down. Given the shortage of skilled labor, a key focus is reducing the burden of time.
“In many cases, this type of set-up can even tell an analyst what the automation, or machine learning has determined it thinks the problem is, and then the analyst can validate that,” Brogan says.